|
On Wed, Sep 03, 2003 at 01:03:20PM +0200, Roberto Nibali wrote:
> Hi guys,
>
> >>>a) It's not part of a load balancer to do security.
> >>
> >>So are you saying that even if the Antefacto patch didn't
> >>have the problem of the slow netfilter code, that you still
> >>shouldn't be using the director as a firewall?
> >
> >Personally I think that is a matter of mechanism vs policy.
>
> I agree 100% with Horms here. If netfilter is a good enough policy for
> people they should certainly use the antofacto patch and we should thus
> make sure it will coexist nicely with the current implementation status
> of LVS.
>
> I know that I have been a bit "tense" in the past when it came to
> security and LVS. I realised that most people do not have to take the
> level of security counter measures like we do, so instead of
> categorically denying the use of netfilter in conjunction with LVS I
> acknowledge its right to exist as a completely viable solution for a site.
I think that if we make it a compile time and/or (global) run time
option (as I think you suggested) and document the potential issues
relating to security and performance then everyone can be happy!
Although that does mean aditional code paths that need to be tested, but
we can probably live with that. Especially if people are using it
and thus testing it, which is after all where this discussion came from.
--
Horms
|
